use of org.xdi.oxauth.model.jwt.Jwt in project oxAuth by GluuFederation.
the class RejectsIncorrectCHashWhenCodeFlowUsed method rejectsIncorrectCHashWhenCodeFlowUsed.
@Parameters({ "userId", "userSecret", "redirectUris", "redirectUri", "sectorIdentifierUri" })
@Test
public void rejectsIncorrectCHashWhenCodeFlowUsed(final String userId, final String userSecret, final String redirectUris, final String redirectUri, final String sectorIdentifierUri) throws Exception {
showTitle("OC5:FeatureTest-Rejects Incorrect c hash when Code Flow Used");
List<ResponseType> responseTypes = Arrays.asList(ResponseType.CODE, ResponseType.ID_TOKEN);
// 1. Register client
RegisterRequest registerRequest = new RegisterRequest(ApplicationType.WEB, "oxAuth test app", StringUtils.spaceSeparatedToList(redirectUris));
registerRequest.setResponseTypes(responseTypes);
registerRequest.setSectorIdentifierUri(sectorIdentifierUri);
RegisterClient registerClient = new RegisterClient(registrationEndpoint);
registerClient.setRequest(registerRequest);
RegisterResponse registerResponse = registerClient.exec();
showClient(registerClient);
assertEquals(registerResponse.getStatus(), 200, "Unexpected response code: " + registerResponse.getEntity());
assertNotNull(registerResponse.getClientId());
assertNotNull(registerResponse.getClientSecret());
assertNotNull(registerResponse.getRegistrationAccessToken());
assertNotNull(registerResponse.getClientIdIssuedAt());
assertNotNull(registerResponse.getClientSecretExpiresAt());
String clientId = registerResponse.getClientId();
// 2. Request authorization
List<String> scopes = Arrays.asList("openid", "profile", "address", "email");
String state = UUID.randomUUID().toString();
String nonce = UUID.randomUUID().toString();
AuthorizationRequest authorizationRequest = new AuthorizationRequest(responseTypes, clientId, scopes, redirectUri, nonce);
authorizationRequest.setState(state);
AuthorizationResponse authorizationResponse = authenticateResourceOwnerAndGrantAccess(authorizationEndpoint, authorizationRequest, userId, userSecret);
assertNotNull(authorizationResponse.getLocation(), "The location is null");
assertNotNull(authorizationResponse.getCode(), "The code is null");
assertNotNull(authorizationResponse.getIdToken(), "The idToken is null");
assertNotNull(authorizationResponse.getState(), "The state is null");
String code = authorizationResponse.getCode();
String idToken = authorizationResponse.getIdToken();
// 3. Validate code and id_token
Jwt jwt = Jwt.parse(idToken);
assertNotNull(jwt.getHeader().getClaimAsString(JwtHeaderName.TYPE));
assertNotNull(jwt.getHeader().getClaimAsString(JwtHeaderName.ALGORITHM));
assertNotNull(jwt.getClaims().getClaimAsString(JwtClaimName.ISSUER));
assertNotNull(jwt.getClaims().getClaimAsString(JwtClaimName.AUDIENCE));
assertNotNull(jwt.getClaims().getClaimAsString(JwtClaimName.EXPIRATION_TIME));
assertNotNull(jwt.getClaims().getClaimAsString(JwtClaimName.ISSUED_AT));
assertNotNull(jwt.getClaims().getClaimAsString(JwtClaimName.SUBJECT_IDENTIFIER));
assertNotNull(jwt.getClaims().getClaimAsString(JwtClaimName.CODE_HASH));
assertNotNull(jwt.getClaims().getClaimAsString(JwtClaimName.AUTHENTICATION_TIME));
jwt.getClaims().setClaim(JwtClaimName.CODE_HASH, "INCORRECT_C_HASH");
RSAPublicKey publicKey = JwkClient.getRSAPublicKey(jwksUri, jwt.getHeader().getClaimAsString(JwtHeaderName.KEY_ID));
RSASigner rsaSigner = new RSASigner(SignatureAlgorithm.RS256, publicKey);
assertTrue(rsaSigner.validate(jwt));
assertFalse(rsaSigner.validateAuthorizationCode(code, jwt));
}
use of org.xdi.oxauth.model.jwt.Jwt in project oxAuth by GluuFederation.
the class UserInfoRestWebServiceEmbeddedTest method requestUserInfoHS384Step3.
@Parameters({ "userInfoPath" })
@Test(dependsOnMethods = "requestUserInfoHS384Step2")
public void requestUserInfoHS384Step3(final String userInfoPath) throws Exception {
Builder request = ResteasyClientBuilder.newClient().target(url.toString() + userInfoPath).request();
request.header("Authorization", "Bearer " + accessToken6);
UserInfoRequest userInfoRequest = new UserInfoRequest(null);
Response response = request.post(Entity.form(new MultivaluedHashMap<String, String>(userInfoRequest.getParameters())));
String entity = response.readEntity(String.class);
showResponse("requestUserInfoHS384Step3", response, entity);
assertEquals(response.getStatus(), 200, "Unexpected response code.");
assertTrue(response.getHeaderString("Cache-Control") != null && response.getHeaderString("Cache-Control").equals("no-store, private"), "Unexpected result: " + response.getHeaderString("Cache-Control"));
assertTrue(response.getHeaderString("Pragma") != null && response.getHeaderString("Pragma").equals("no-cache"), "Unexpected result: " + response.getHeaderString("Pragma"));
assertNotNull(entity, "Unexpected result: " + entity);
try {
Jwt jwt = Jwt.parse(entity);
assertNotNull(jwt.getClaims().getClaimAsString(JwtClaimName.SUBJECT_IDENTIFIER));
assertNotNull(jwt.getClaims().getClaimAsString(JwtClaimName.NAME));
assertNotNull(jwt.getClaims().getClaimAsString(JwtClaimName.EMAIL));
assertNotNull(jwt.getClaims().getClaimAsString(JwtClaimName.PICTURE));
} catch (InvalidJwtException e) {
e.printStackTrace();
fail(e.getMessage() + "\nResponse was: " + entity);
} catch (Exception e) {
e.printStackTrace();
fail(e.getMessage());
}
}
use of org.xdi.oxauth.model.jwt.Jwt in project oxAuth by GluuFederation.
the class UserInfoRestWebServiceEmbeddedTest method requestUserInfoHS256Step3.
@Parameters({ "userInfoPath" })
@Test(dependsOnMethods = "requestUserInfoHS256Step2")
public void requestUserInfoHS256Step3(final String userInfoPath) throws Exception {
Builder request = ResteasyClientBuilder.newClient().target(url.toString() + userInfoPath).request();
request.header("Authorization", "Bearer " + accessToken5);
request.header("Content-Type", MediaType.APPLICATION_FORM_URLENCODED);
UserInfoRequest userInfoRequest = new UserInfoRequest(null);
Response response = request.post(Entity.form(new MultivaluedHashMap<String, String>(userInfoRequest.getParameters())));
String entity = response.readEntity(String.class);
showResponse("requestUserInfoHS256Step3", response, entity);
assertEquals(response.getStatus(), 200, "Unexpected response code.");
assertTrue(response.getHeaderString("Cache-Control") != null && response.getHeaderString("Cache-Control").equals("no-store, private"), "Unexpected result: " + response.getHeaderString("Cache-Control"));
assertTrue(response.getHeaderString("Pragma") != null && response.getHeaderString("Pragma").equals("no-cache"), "Unexpected result: " + response.getHeaderString("Pragma"));
assertNotNull(entity, "Unexpected result: " + entity);
try {
Jwt jwt = Jwt.parse(entity);
assertNotNull(jwt.getClaims().getClaimAsString(JwtClaimName.SUBJECT_IDENTIFIER));
assertNotNull(jwt.getClaims().getClaimAsString(JwtClaimName.NAME));
assertNotNull(jwt.getClaims().getClaimAsString(JwtClaimName.EMAIL));
assertNotNull(jwt.getClaims().getClaimAsString(JwtClaimName.PICTURE));
} catch (InvalidJwtException e) {
e.printStackTrace();
fail(e.getMessage() + "\nResponse was: " + entity);
} catch (Exception e) {
e.printStackTrace();
fail(e.getMessage());
}
}
use of org.xdi.oxauth.model.jwt.Jwt in project oxAuth by GluuFederation.
the class TokenRequest method getClientAssertion.
public String getClientAssertion() {
Jwt clientAssertion = new Jwt();
if (algorithm == null) {
algorithm = SignatureAlgorithm.HS256;
}
GregorianCalendar calendar = new GregorianCalendar(TimeZone.getTimeZone("UTC"));
Date issuedAt = calendar.getTime();
calendar.add(Calendar.MINUTE, 5);
Date expirationTime = calendar.getTime();
// Header
clientAssertion.getHeader().setType(JwtType.JWT);
clientAssertion.getHeader().setAlgorithm(algorithm);
if (StringUtils.isNotBlank(keyId)) {
clientAssertion.getHeader().setKeyId(keyId);
}
// Claims
clientAssertion.getClaims().setIssuer(getAuthUsername());
clientAssertion.getClaims().setSubjectIdentifier(getAuthUsername());
clientAssertion.getClaims().setAudience(audience);
clientAssertion.getClaims().setJwtId(UUID.randomUUID());
clientAssertion.getClaims().setExpirationTime(expirationTime);
clientAssertion.getClaims().setIssuedAt(issuedAt);
// Signature
try {
if (sharedKey == null) {
sharedKey = getAuthPassword();
}
String signature = cryptoProvider.sign(clientAssertion.getSigningInput(), keyId, sharedKey, algorithm);
clientAssertion.setEncodedSignature(signature);
} catch (InvalidJwtException e) {
LOG.error(e.getMessage(), e);
} catch (Exception e) {
LOG.error(e.getMessage(), e);
}
return clientAssertion.toString();
}
use of org.xdi.oxauth.model.jwt.Jwt in project oxAuth by GluuFederation.
the class UserInfoClient method exec.
/**
* Executes the call to the REST Service and processes the response.
*
* @return The service response.
*/
public UserInfoResponse exec() {
// Prepare request parameters
initClientRequest();
clientRequest.header("Content-Type", MediaType.APPLICATION_FORM_URLENCODED);
clientRequest.setHttpMethod(getHttpMethod());
if (getRequest().getAuthorizationMethod() == null || getRequest().getAuthorizationMethod() == AuthorizationMethod.AUTHORIZATION_REQUEST_HEADER_FIELD) {
if (StringUtils.isNotBlank(getRequest().getAccessToken())) {
clientRequest.header("Authorization", "Bearer " + getRequest().getAccessToken());
}
} else if (getRequest().getAuthorizationMethod() == AuthorizationMethod.FORM_ENCODED_BODY_PARAMETER) {
if (StringUtils.isNotBlank(getRequest().getAccessToken())) {
clientRequest.formParameter("access_token", getRequest().getAccessToken());
}
} else if (getRequest().getAuthorizationMethod() == AuthorizationMethod.URL_QUERY_PARAMETER) {
if (StringUtils.isNotBlank(getRequest().getAccessToken())) {
clientRequest.queryParameter("access_token", getRequest().getAccessToken());
}
}
// Call REST Service and handle response
try {
if (getRequest().getAuthorizationMethod() == null || getRequest().getAuthorizationMethod() == AuthorizationMethod.AUTHORIZATION_REQUEST_HEADER_FIELD || getRequest().getAuthorizationMethod() == AuthorizationMethod.URL_QUERY_PARAMETER) {
clientResponse = clientRequest.get(String.class);
} else if (getRequest().getAuthorizationMethod() == AuthorizationMethod.FORM_ENCODED_BODY_PARAMETER) {
clientResponse = clientRequest.post(String.class);
}
int status = clientResponse.getStatus();
setResponse(new UserInfoResponse(status));
String entity = clientResponse.getEntity(String.class);
getResponse().setEntity(entity);
getResponse().setHeaders(clientResponse.getMetadata());
if (StringUtils.isNotBlank(entity)) {
List<Object> contentType = clientResponse.getHeaders().get("Content-Type");
if (contentType != null && contentType.contains("application/jwt")) {
String[] jwtParts = entity.split("\\.");
if (jwtParts.length == 5) {
byte[] sharedSymmetricKey = sharedKey != null ? sharedKey.getBytes(Util.UTF8_STRING_ENCODING) : null;
Jwe jwe = Jwe.parse(entity, privateKey, sharedSymmetricKey);
getResponse().setClaims(jwe.getClaims().toMap());
} else {
Jwt jwt = Jwt.parse(entity);
OxAuthCryptoProvider cryptoProvider = new OxAuthCryptoProvider();
boolean signatureVerified = cryptoProvider.verifySignature(jwt.getSigningInput(), jwt.getEncodedSignature(), jwt.getHeader().getKeyId(), JwtUtil.getJSONWebKeys(jwksUri), sharedKey, jwt.getHeader().getAlgorithm());
if (signatureVerified) {
getResponse().setClaims(jwt.getClaims().toMap());
}
}
} else {
try {
JSONObject jsonObj = new JSONObject(entity);
if (jsonObj.has("error")) {
getResponse().setErrorType(UserInfoErrorResponseType.fromString(jsonObj.getString("error")));
jsonObj.remove("error");
}
if (jsonObj.has("error_description")) {
getResponse().setErrorDescription(jsonObj.getString("error_description"));
jsonObj.remove("error_description");
}
if (jsonObj.has("error_uri")) {
getResponse().setErrorUri(jsonObj.getString("error_uri"));
jsonObj.remove("error_uri");
}
for (Iterator<String> iterator = jsonObj.keys(); iterator.hasNext(); ) {
String key = iterator.next();
List<String> values = new ArrayList<String>();
JSONArray jsonArray = jsonObj.optJSONArray(key);
if (jsonArray != null) {
for (int i = 0; i < jsonArray.length(); i++) {
String value = jsonArray.optString(i);
if (value != null) {
values.add(value);
}
}
} else {
String value = jsonObj.optString(key);
if (value != null) {
values.add(value);
}
}
getResponse().getClaims().put(key, values);
}
} catch (JSONException e) {
e.printStackTrace();
}
}
}
} catch (Exception e) {
e.printStackTrace();
} finally {
closeConnection();
}
return getResponse();
}
Aggregations